The present invention relates in general to terms the management of rights of access, by subjects constituting users or software modules of a data processing means, to objects such as applications implemented in the data processing means. More particularly, the invention relates to the administration of accesses to resources in a portable electronic object, such as a chip card, also known as a microcontroller card or integrated circuit card, constituting the data processing means, in particular when the chip card is a multiapplication card.
Because of the greater and greater number of more and more complex applications introduced into a chip card, the management of the applications constituting the principal resources of the chip card are more and more difficult to manage. The difficulties in management are also due to the many partners participating in the allocation of access to the applications and whose interests sometimes diverge. These partners may be the manufacturer of the chip card, the distributor or operator of the chip card, and the developers of the applications in the chip card.
Nevertheless, despite this complexity, access to the chip card resources must be controlled and made secure.
At the present time, access to a processing resource, such as an application, is made by transmitting, from a terminal accepting the chip card, at least one command constituting an application protocol data unit (APDU) which contains data or a reference to data present and to be processed in the card. According to another variant, access to a resource in the card can be effected at a higher level by invoking a method of an object present in the card when the latter contains applications written in an object oriented high level programming language such as Java.
The coexistence and cooperation of several applications within the same chip card raises many problems from the point of view of security. In particular, each application has its own data for which the developer of the application defines access rights peculiar to the application. The access conditions are means of connection between external accesses which may be users of the card or software modules, such as user interfaces, and accesses internal to the card such as applications, possibly by means of other applications or other application software elements in the card.
The control of the access conditions is based on the identification of the subjects Su, such as the users, which are the “active” elements which manipulate information contained in objects Ob, such as applications, which are “passive” elements containing data. The conditions for the access of the subjects Su to the objects Ob are governed by access control rules between the subjects and the objects. Each rule comprises an access right, that is to say a link between a subject and an object in the form of an action which can be performed by the subject on the object.
It is known how to represent the conditions for access of subjects Su to objects Ob by an access matrix MA whose columns correspond to subjects and whose rows correspond to objects, as shown in FIG. 1. For example, the matrix MA relates to three subjects S1, S2 and S3, such as three users, and to three objects O1, O2 and O3, such as files and programs. Each box in the matrix at the intersection of a row and column contains access rights, that is to say privileged actions which can be performed by the respective subject on the respective object.
The access rights may be positive in order to allow a predetermined action by a subject on an object, or may be negative in order to prevent a predetermined action by a subject or an object. For example, the subject S2 can read and execute the object O2 but cannot write in this object, and the subject S3 can read the object O1 but cannot record and write to the object O1.
As is known, the access control rules are generally dealt with according to two approaches.
The first approach consists of access control lists (ACL) corresponding to the rows in the access matrix MA and each specifying rights of access by subjects to the object associated with the row. By way of example, in a multiapplication chip card of the Windows (registered trade mark) type, access control lists ACL define accesses by users to files included in the card.
Conversely, the second approach consists of capacities corresponding to the columns in the matrix MA and each specifying the access rights of the subject associated with the column over the objects. For example, the access control relates to applet methods for multiapplication smart cards of the JavaCard type in which programs in Java language have been written. The capacities are in the form of pointers making calls for accessing methods constituting objects, in predetermined applets constituting subjects.
For more simplicity, reference will be made hereinafter to the management of access control lists although the invention also relates to the management of capacities. Access control lists and capacities are to be considered to be lists of rights of access between at least one subject and at least one object.
With a present-day chip card, the modification of access control lists is reserved for only one card administration authority. After authentication of the administration authority by the card, the authority demands modifications to the access control lists, for example by adding or eliminating lists, adding or eliminating subjects in a list, or adding or eliminating access rights of a subject with respect to an object.
This single administration authority must of course comply with the requirements of the various partners participating in the production and management of the various application resources in the chip card.